These new attacks, which started around Jan. 24, apparently are the work of group called Magecart Group 7, according to the new report. The researchers call the technique that this group is using "MakeFrame" because it incorporates iframes to help skim the card data from the online checkout functions of websites and obfuscate the malicious JavaScript code .

"This latest skimmer from Group 7 is an illustration of their continued evolution, honing tried and true techniques and developing new ones all the time," the researchers note.

Since January, the RiskIQ researchers have spotted these new payment card skimmers on 19 ecommerce sites' checkout pages. While Magecart groups generally have targeted larger e-commerce sites, the victims of these latest attacks are mainly smaller businesses (see: New Skimmer Attack Steals Data From Over 100 E-Commerce Sites).

It's not clear if any of the information stolen from these sites is being offered for sale on dark net marketplaces, says Jordan Herman, a threat researcher at RiskIQ, which is notifying the companies affected.

Magecart Attacks Increase

Magecart is an umbrella name for a group of cybercriminal gangs that have been planting JavaScript skimmers, also known as JavaScript sniffers or JS sniffers, on dozens of sites over the last several years.

In February, RiskIQ noticed an uptick in these groups' activity, which might be attributed to a burst in online shopping due to the COVID-19 pandemic that has keep people in their homes under quarantine orders.

"We've seen an increase in our detections of Magecart of about 20 percent when we compare March to February, so it appears that Magecart actors are taking advantage of the current situation," Herman tells Information Security Media Group.

How MakeFrame Works

Since January, the RiskIQ researchers have collected several versions of the MakeFrame skimmer, ranging from code that is still in development to fully functioning versions that use encryption and obfuscation techniques to hide their presence.

Once this malicious code is injected into an ecommerce site's checkout function, it is "nestled in amongst benign code to blend in and avoid detection," according to the report. The skimmers uses an array of hex-encoded strings to help hide themselves; they also uses "code beautifiers," which make it nearly impossible to de-obfuscate.

The skimmers create the iframes to steal payment card data as well as other information, according to the report. They create a fake checkout page that mimics the real one and includes fields for victims to input their card numbers and other data.

The malicious code can also create a "submit" button. Once victims enter their payment card information and hit submit, the data is collected by the skimmers and stored for later.

Once the stolen data is harvested, it's stored on the targeted e-commerce site before being transferred to another domain that is also infected with a Magecart Group 7 skimmer, Herman says.

"The most novel part of Group 7's activities is their use of compromised websites for data exfiltration," Herman says. "Generally, skimming campaigns use their own domains to exfiltrate the stolen card data. I don't believe we have seen any other groups who have copied this technique from Group 7."

The report notes that many of these same skimming techniques were used target the company OXO in 2017 and 2018, which could mean the same Magecart group is involved.

In March, researchers at the security firm Malwarebytes found that the ecommerce site for Tupperware was infected with a JavaScript skimmer that used iframes to help create fake checkout pages and hide its code within legitimate sites (see: Tupperware Website Hit by Card Skimmer).

And while the techniques in all these attacks are similar, it's not clear if they are all tied to Magecart Group 7. "The use of iframes and creating payment forms is similar, though the similarities between the skimmers appear to end there. We've seen a few distinct skimmers using that technique in recent months," Herman says.

About the Author

As senior correspondent for Information Security Media Group's global news desk, Ishita covers news worldwide. She previously worked at Thomson Reuters, where she specialized in reporting breaking news stories on a variety of topics.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.asia, you agree to our use of cookies.